You can configure the key information for the server-side and client-side
bindings using an assembly tool. The request generator is configured for the
client , and the response generator is configured for the server.
About this task
This key information is used to specify the configuration that is
needed to generate the key for digital signature and encryption. The signing
information and encryption information configurations can share the key information.
The key information on the consumer side is used for specifying the information
about the key that is used for validating the digital signature in the received
message or for decrypting the encrypted parts of the message.
Complete the
following steps. You must configure either the client-side bindings in step
2 or the server-side bindings in step 3.
Procedure
- Start the assembly tool.
- Switch to the Java 2 Platform, Enterprise Edition (J2EE) perspective.
Click Window > Open Perspective > J2EE.
- Optional: Locate the client-side bindings using the
Project Explorer window. The Client Deployment Descriptor window
is displayed. This Web service contains the bindings that you need to configure.
- Expand the Web Services > Client section and double-click
the name of the Web service.
- Click the WS Binding tab and expand the Security Request
Generator Binding Configuration section.
- Optional: Locate the server-side bindings using the
Project Explorer window. The Web Services Editor window is displayed.
This Web service contains the bindings that you need to configure.
- Expand the Web Services > Services section and double-click
the name of the Web service.
- Click the Binding Configurations tab and expand the Response
Generator Binding Configuration Details section.
- Expand the Key Information section and click Add to add
a new entry or click Edit to edit a selected entry.
- Specify a unique name for this configuration in the Key information
name field. For example, you might specify gen_signkeyinfo.
This configuration name is referenced by the Key information element within
the Signing Information and Encryption Information dialog windows. For more
information, see Configuring signing information for the generator binding with an assembly tool and Configuring encryption information for the generator binding with an assembly tool.
- Select a key information type from the Key information type field.
The key information types specify different mechanisms for referencing
security tokens. The assembly tools support the following key information
types:
- STRREF
- This type is the security token reference. The security token is directly
referenced using Universal Resource Identifiers (URIs). The following <KeyInfo> element
is generated in the SOAP message for this key information type:
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#mytoken" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
- EMB
- This type is the embedded token. The security token is directly embedded
within the <SecurityTokenReference> element. The following <KeyInfo> element
is generated in the SOAP message for this key information type:
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Embedded wsu:Id="tok1" />
…
</wsse:Embedded>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
- KEYID
- This type is a key identifier. The security token is referenced using
an opaque value that uniquely identifies the token. The algorithm that is
used for generating the key identifier value depends upon the token type.
The following <KeyInfo> element is generated in the Simple Object
Access Protocol (SOAP) message for this key information type:
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier ValueType="wsse:X509v3">/62wXO...</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
- KEYNAME
- This type is the key name. The security token is referenced using a name
that matches an asserted identity within the token. The following <KeyInfo> element
is generated in the SOAP message for this key information type:
<ds:KeyInfo>
<ds:KeyName>CN=Group1</ds:KeyName>
</ds:KeyInfo>
- X509ISSUER
- This type is the X.509 certificate issuer name and serial number. The
security token is referenced by an issuer name and issuer serial number of
an X.509 certificate. The following <KeyInfo> element is generated in the
SOAP message for this key information type:
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=Jones, O=IBM, C=US</ds:X509IssuerName>
<ds:X509SerialNumber>1040152879</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
- Select the Use key locator option.
- Select the name of a key locator configuration from the Key
locator field. The value of this field is a reference to a key
locator that specifies how to find keys or certificates. For more information,
see Configuring key locators for the generator binding with an assembly tool.
- Specify a key name in the Key name field. The value
is the name of a key that is used for generating the digital signature and
for encryption. The list of key names come from the key locator that you specified
previously.
- Optional: Select the Use token option and a
token generator configuration in the Token field if a token generator is required
for the key information configuration. The token that you select
specifies a reference to a token generator that is used for processing the
security token within the message. Before you specify a token reference, you
must configure a token generator. For more information on token generator
configurations, see Configuring token generators with an assembly tool.